Methodology

Our testing methodology is based on a variety of security standards including, but not limited to, NIST, OWASP, and industry best practices. We put each target through this process to ensure a quality test every time and to meet our service commitments. Our test results can be used to support compliance standards (PCI, HIPAA, etc.) or best practices.

We use a tried and true Methodology that ensures both depth and breadth in our ​Security Testing Process:

01.

Information Gathering + EnumerationThis is the most crucial stage of the assessment. In this phase, we learn everything we can about your environment by assessing technologies used, possible attack points, open ports, and anything else publicly discoverable. What we find here serves as the baseline for all future tests.

02.

Vulnerability DetectionWe use a hybrid approach of manual testing techniques and automated scanning tools to look for possible vulnerabilities in your environment.

03.

AnalysisNow it's time to develop a plan. Based on what we have learned up to this point, we decide which attack vectors to further pursue, and start testing.

04.

Vulnerability Exploitation + LeverageThis is where the real fun begins. A successful attack is almost always the result of chaining vulnerabilities together until the target is fully compromised. This is typically a circular process, in which vulnerabilities are tested for, exploited, and then leveraged to test for more issues. The process repeats itself until the goal is achieved.

We deliver actionable advice combined with a formal report

We'll assess your web applications, network hosts, APIs, and mobile applications for security issues. We'll then discuss the issues with your team and provide a report detailing our findings with proofs of concept and remediation instructions. This report can be used in support of compliance (PCI, HIPAA, etc.) or best practices.

What comes next?

Once we have completed our testing, we'll work closely with your team to provide remediation instructions and other ways to improve your overall security profile. We are not auditors. Our goal is to show our clients secure coding techniques and best practices that can be applied both now and in the future when releasing new products or features.